CVE-2026-7879 in Concreteinformação

Sumário

de MITRE • 22/05/2026

In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Youssef Eid for reporting

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

ConcreteCMS

Reservar

05/05/2026

Divulgação

22/05/2026

Moderação

aceite

Entrada

VDB-365093

CPE

pronto

CWE

CWE-862 (confirmado)

CVSS

3.7 (VulDB)

EPSS

0.00030

KEV

não

Atividades

muito baixo

Sector

Agriculture, Hostingprovider, ...

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-7879
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-7879
CVE Details	https://www.cvedetails.com/cve/CVE-2026-7879/

◂ Voltar Visão Geral Próximo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!